Cyber Update

Google Patches Android Custom Boot Mode Vulnerability: A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and P6 model handsets open to denial of service and elevation of privilege attacks. ThreatPost, January 6, 2017

Cyber Defense

Top 5 Free Encryption Messaging Apps: This year saw an increase in the level of security for some major messaging services, including Facebook Messenger and WhatsApp. Yahoo, December 30, 2016

Information Security Management in the Organization

Information Security Management and Governance

Strong Cybersecurity Talent in Short Supply in Face of Rising Demand: Can armies of interns close the cybersecurity skills gap? asked a Fast Company story in September of 2016. Not likely. In the U.S., and internationally, there’s not enough cybersecurity grads — or computer science grads with cyber credits. In the U.S., students can graduate from some of the top computer science programs with little to no cybersecurity courses. CSO, January 6, 2017

Cyber Warning

Cyber Criminals Using Twitter To Snatch Bank Info From Unsuspecting Customers: Cyber criminals are waiting for banks to have online technical difficulties and then step in to target bank customers who complain about technical problems online. Using fake Twitter accounts that look just like the banks, they trick customers into handing over their banking credentials. Robert Capps, VP of Business Development at NuData Security commented below. InformationSecurityBuzz, January 7, 2017

Hackers Target Schools With Ransomware By Mimicking Department Of Education: Following the news that hackers are sending ransomware-infected emails directly, to head teachers after posing as officials from the Department of Education. The cyber criminals have been gaining email addresses by calling schools and offering exam guidance or mental health assessments. The ransom is believed to be up to £8,000. Fraser Kyne, EMEA CTO at Bromium commented below. InformationSecurityBuzz, January 7, 2017

Cardless ATM” Fraud Danger As Cyber Criminals Use Stolen Passwords: Some financial institutions are now offering so-called “cardless ATM” transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime. KrebsOnSecurity, January 5, 2017

Cyber Danger

4 information security threats that will dominate 2017: The Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017. Supercharged connectivity and the IoT will bring unmanaged risks. Crime syndicates will take quantum leap with crime-as-a-service. New regulations will bring compliance risks. Brand reputation and trust will be a target.

Cyber Defense

Class Breaks – What They Are and the Magnitude of Their Danger: There’s a concept from computer security known as a class break. It’s a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet. Schneier on Security, December 30, 2016

Cyber Security in Society

National Cyber Security

Intelligence Agency Report Attributing Breach of DNC to Russia: “Assessing Russian Activities and Intentions in Recent US Elections” is a declassified version of a highly classified assessment that has been provided to the President and to recipients approved by the President. Office of the Director of National Intelligence, January 6, 2017

What Intelligence Agencies Concluded About the Russian Attack on the U.S. Election: The office of the director of national intelligence on Friday released a long-awaited unclassified version of its report for President Obama on what the intelligence agencies said was a multifaceted attempt to influence the 2016 presidential election. The report included only the agencies’ conclusions, not the actual intelligence or technical information on which they were based. The New York Times, January 6, 2017

Why Proving the Source of a Cyberattack is So Damn Difficult: President Barack Obama’s public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive emails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations. Schneier on Security, January 5, 2017

White House fails to make case that Russian hackers tampered with election: Talk about disappointments. The US government’s much-anticipated analysis of Russian-sponsored hacking operations provides almost none of the promised evidence linking them to breaches that the Obama administration claims were orchestrated in an attempt to interfere with the 2017 presidential election. ars technica, December 30, 2016

Krebs Opines on the DNC Hack … and Other Cyber Incidents: Over the past few days, several longtime readers have asked why I haven’t written about two stories that have consumed the news media of late: The alleged Russian hacking attacks against the U.S. Democratic National Committee (DNC) and, more recently, the discovery of malware on a laptop at a Vermont power utility that has been attributed to Russian hacker groups. KrebsOnSecurity, January 3, 2017

Task Force Issues ‘From Awareness to Action: A Cybersecurity Agenda for the 45th President: A task force co-chaired by two U.S. lawmakers and a former federal CIO is issuing a 34-page report recommending a cybersecurity agenda for the incoming Trump administration. The report recommends the new administration jettison outdated ways the federal government tackles cybersecurity, noting: “Once-powerful ideas have been transformed into clichés.” BankInfoSecurity, January 4, 2017

How Hackers Could Jam 911 Emergency Calls: It’s not often that any one of us needs to dial 911, but we know how important it is for it to work when one needs it. It is critical that 911 services always be available—both for the practicality of responding to emergencies, and to give people peace of mind. But a new type of attack has emerged that can knock out 911 access—our research explains how these attacks occur as a result of the system’s vulnerabilities. We show how these attacks can create extremely serious repercussions for public safety. FastCompany, January 6, 2017

Stewart Baker Cyberlaw Podcast – News Roundup: We start 2017 the way we ended 2017, mocking the left/lib bias of stories about intercept law. Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe? Yeah, well, not so much. Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for “serious” crime, which is really the heart of the matter. Steptoe Cyberblog, January 3, 2017

Hacker threats to smart power grids: Europe is investing in power grids that save consumers money and easily handle surges from wind and solar sources — features critical to curbing climate change and cutting the Continent’s reliance on coal. But these electricity networks of the future also create big risks. Politico, January 4, 2017

The FTC’s Internet of Things (IoT) Challenge: One of the biggest cybersecurity stories of 2017 was the surge in online attacks caused by poorly-secured “Internet of Things” (IoT) devices such as Internet routers, security cameras, digital video recorders (DVRs) and smart appliances. Many readers here have commented with ideas about how to counter vulnerabilities caused by out-of-date software in IoT devices, so why not pitch your idea for money? Who knows, you could win up to $25,000 in a new contest put on by the U.S. Federal Trade Commission (FTC). KrebsOnSecurity, January 4, 2017